Authorisation

Let's take a look at a seemingly innocent practice of OCSP stapling. Basically it is a certification that your certificate is valid, with the certificate for the validity of your certificate being issued by your certificate authority and bundled with your original certificate. Sounds perfect! If only we could certify the validity of this second certificate too, with a third certificate issued by the same authority, would be enough, certainly, three certificates are enough for everyone. Right?

This practice stems from OSCP (an Internet protocol used for obtaining the revocation status) which is not nearly as funny, and far from «innocent».

The original OCSP implementation can introduce a significant cost for the certificate authorities (CA) because it requires them to provide responses to every client of a given certificate in real time. For example, when a certificate is issued to a high traffic website, the servers of CAs are likely to be hit by enormous volumes of OCSP requests querying the validity of the certificate.

Do you see what does this quote imply? That FOR EACH SSL CONNECTION YOU MUST ASK THE AUTHORITY'S PERMISSION. The certificate authority is now an authority that decides whether to allow or refuse your SSL connections. In real time. You no longer decide to connect to a host of your choice, this decision is moving to some authorities.

Let that sink in.

====
P.S. Certificate revocation (without SSL) is not that dangerous and absurd. It was initially designed to work OFFLINE, i.e. all certificates, requests and answers are strictly timestamped — which makes revocation lists valuable and transferable — this is all designed to post-factum verification of documents and such.

During the development of the Cordova application «Siberian Dice» for Android I have encountered a particularly nasty trouble, so very tiny yet absolutely devastating. It was a very well hidden trap, and the experience of falling into this trap was so spectacular and puzzling that I was moved to create a stackoverflow.com account — imagine my frustration! It is a terrible feeling when you find out that the problem you just faced is not googleable, and even stackoverflow has no answer, not even a stupid one. So, I had to investigate it myself. I succeeded and (because I did not want anybody else to lose any more time on investigating the bug I already investigated) posted the solution on stackoverflow. And then I forgot the issue.
Read more →